Hi Lukasz, it is a Zywall USG 300. And I thought that success was near when I was able to establish the tunnel. The Zywall is not configured exactly like it is described in the Shrew-Zywall-Howto, but it still kind of works. Apart from the fact that I cannot reach IPs on the remote network. Everyone else in the company is using the commercial Windows client available from Zyxel. So no chance to get any changes to the device config done just for me.
Greets Ralf On Thu, 2010-08-05 at 15:24 +0100, Lukasz Sokol wrote: > Hello Ralf, > > which ZyWALL device are you connecting to ? > > I tried a few times to (not only Shrew, GreenBow too) configure IPSEC > tunnel(s), using zywall 5, 35 or usg300, > only to be beaten by phase2 error - i.e. i could not enter tunnel-client > settings compatible > with zywall; it was looking like zywall had to have phase2 id == ipsec client > policy or else > connection was ended by gateway due to phase1 timeout or phase2 id mismatch. > (yes it was long ago and I found my way without using ipsec vpn, but still > interested why I failed) > > Would you share your configuration idea please ? > > Lukasz > > On 05/08/2010 07:26, Ralf Steppacher wrote: > > Matthew, > > > > thanks for the fast response. Unfortunately making the change you > > suggest does not make a difference. Depending on what I set under the > > policy tab I get two different results when trying to ping a host on the > > remote network: > > > > r...@ralf-ubuntu:/etc$ ping 192.168.50.10 > > PING 192.168.50.10 (192.168.50.10) 56(84) bytes of data. > > ^C > > --- 192.168.50.10 ping statistics --- > > 8 packets transmitted, 0 received, 100% packet loss, time 7006ms > > > > Or > > > > r...@ralf-ubuntu:/etc$ ping 192.168.50.10 > > PING 192.168.50.10 (192.168.50.10) 56(84) bytes of data. > >>From 192.168.50.81 icmp_seq=1 Destination Host Unreachable > >>From 192.168.50.81 icmp_seq=2 Destination Host Unreachable > >>From 192.168.50.81 icmp_seq=3 Destination Host Unreachable > >>From 192.168.50.81 icmp_seq=4 Destination Host Unreachable > >>From 192.168.50.81 icmp_seq=5 Destination Host Unreachable > >>From 192.168.50.81 icmp_seq=6 Destination Host Unreachable > > ^C > > --- 192.168.50.10 ping statistics --- > > 7 packets transmitted, 0 received, +6 errors, 100% packet loss, time > > 6018ms > > , pipe 4 > > > > 192.168.50.81 is the IP assigned to the tap0 interface. > > > > > > Thanks for your help! > > Ralf > > > > > > On Wed, 2010-08-04 at 22:57 -0500, Matthew Grooms wrote: > >> On 8/4/2010 9:13 AM, Ralf Steppacher wrote: > >>> Hello all, > >>> > >>> I am trying to connect to our corporate network via a Zywall and the > >>> Shrew VPN Client 2.1.5 from my Ubuntu 10.04 PC. I followed the Zywall > >>> wiki howto as best as I could, having no access to the Zywall > >>> configuration. > >>> > >>> I managed to establish a tunnel from my PC to the Zywall, but none of the > >>> IP addresses on the remote network are reachable/pingable. My local > >>> gateway is still pingable though. I guess it is a routing issue? > >>> > >>> My kernel routes with the tunnel open look like this. 192.168.1.0 being > >>> my local network, 192.168.50.0 being the corporate network. > >>> > >>> r...@ralf-ubuntu:~$ route > >>> Kernel IP routing table > >>> Destination Gateway Genmask Flags Metric Ref Use > >>> Iface > >>> default 192.168.50.81 255.255.255.0 UG 0 0 0 > >>> tap0 > >>> 192.168.50.0 * 255.255.255.0 U 0 0 0 > >>> tap0 > >>> 192.168.1.0 * 255.255.255.0 U 2 0 0 > >>> wlan0 > >>> link-local * 255.255.0.0 U 1000 0 0 > >>> wlan0 > >>> default 192.168.1.1 0.0.0.0 UG 0 0 0 > >>> wlan0 > >>> > >>> Does that look right to you? > >>> > >>> If it is OK, what else could be wrong? > >>> In particular, I am unsure about what to set on the "Policy" tab of the > >>> client. > >>> > >> > >> Did you read this? > >> > >> http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html > >> > >> -Matthew > >> _______________________________________________ > >> vpn-help mailing list > >> [email protected] > >> http://lists.shrew.net/mailman/listinfo/vpn-help > > > > > > _______________________________________________ > > vpn-help mailing list > > [email protected] > > http://lists.shrew.net/mailman/listinfo/vpn-help > > > > _______________________________________________ > vpn-help mailing list > [email protected] > http://lists.shrew.net/mailman/listinfo/vpn-help _______________________________________________ vpn-help mailing list [email protected] http://lists.shrew.net/mailman/listinfo/vpn-help
